Configuring and enforcing role separation

The DBSA, or the person who installs the database server, enforces role separation and decides which users are the DBSSO and AAO. To find the group for the DBSA, DBSSO, or AAO, look at the appropriate subdirectory of $ONEDB_HOME on UNIX™ or %ONEDB_HOME% on Windows™.

On Windows, role separation is configured only during installation. On UNIX, you normally configure role separation during installation, but you can also configure it after the installation is complete or after the database server is configured. The OSA who installs the software enforces role separation, and decides which users (Windows) or groups (UNIX) are the DBSSO and AAO. On UNIX, the group that owns $ONEDB_HOME/aaodir is the AAO group; the group that owns $ONEDB_HOME/dbssodir is the DBSSO group. By default, group onedb is the DBSSO, AAO, and DBSA group.

On UNIX, if you use the InstallShield MultiPlatform (ISMP) installer in GUI or terminal mode to install the database software, you are asked if you want to configure role separation. If instead you use the scripted bundle installer, then the environment variable INF_ROLE_SEP controls whether you are asked to set up separate roles. If the INF_ROLE_SEP environment variable exists (with or without a value) role separation is enabled and you are asked to specify the DBSSO and AAO groups. (You are not asked about the DBSA group.) If the INF_ROLE_SEP environment variable is not set, then the default group onedb is used for all these roles.

You are not required to set INF_ROLE_SEP to a value to enable role separation. For example, in a C shell, issuing setenv INF_ROLE_SEP is sufficient.

After the installation is complete, INF_ROLE_SEP has no effect. You can establish role separation manually by changing the group that owns the aaodir, dbssodir, or etc directories. You can disable role separation by resetting the group that owns these directories to informix. You can have role separation enabled for the AAO without having role separation enabled for the DBSSO.

Role separation control is through the following group memberships:

  • Users who can perform the DBSA role are group members of the group that owns the directory $ONEDB_HOME/etc.
  • Users who can perform the DBSSO role are group members of the group that owns the $ONEDB_HOME/dbssodir directory.
  • Users who can perform the AAO role are group members of the group that owns the $ONEDB_HOME/aaodir directory.
Note: For each of the groups, the default group is the group onedb.
The ls -lg UNIX command produces the following output showing role separation:
total 14
drwxrwx---  2 informix       ix_aao    512 Nov 21 09:56 aaodir/
drwxr-xr-x  2 informix       informix 1536 Nov 30 18:35 bin/
drwxrwx---  2 informix       ix_dbsso  512 Nov 30 10:54 dbssodir/
drwxr-xr-x 10 informix       informix  512 Nov 21 09:55 demo/
drwxrwxr-x  2 informix       informix 1024 Nov 30 11:37 etc/

In the preceding example, the AAO belongs to the group ix_aao, the DBSSO belongs to the group ix_dbsso, and the DBSA belongs to the group onedb.

Users must belong to the correct group to access the database server. To find the group for database users, you must look at the contents of the $ONEDB_HOME/dbssodir/seccfg file. For example, the contents of a typical seccfg file might be IXUSERS=*. This group setting means that all users can connect to the database server. If the file contains a specific name such as IXUSERS=engineer, then only members of the group engineer can gain access to the database server.

For Windows, role separation control is through the Role Separation dialog box, which opens during installation, and through registry settings. If the Enable Role Separation check box is checked in the Role Separation dialog box, the DBSA can specify different roles.

For more information about environment variables, see the HCL OneDB™ Guide to SQL: Reference. For more information about configuring role separation, see your HCL OneDB Administrator's Guide.